Computer implemented method for generating a pseudonym, computer readable storage medium and computer system

ABSTRACT

The invention relates to a computer implemented method for generating a pseudonym for a user comprising entering a user-selected secret, storing the user-selected secret in memory, computing a private key by applying an embedding and randomizing function onto the secret, storing the private key in the memory, computing a public key using the private key, the public key and the private key forming an asymmetric cryptographic key, erasing the secret and the private key from the memory, and outputting the public key for providing the pseudonym

CROSS REFERENCE TO RELATED APPLICATIONS

This application claims the priority of European Patent Application#EP091179974, entitled “A COMPUTER IMPLEMENTED METHOD FOR GENERATING APSEUDONYM, COMPUTER READABLE STORAGE MEDIUM AND COMPUTER SYSTEM” filedon Dec. 18, 2009.

FIELD OF THE INVENTION

The present invention relates to the field of computer implementedpseudonym generators.

BACKGROUND

Various computer implemented schemes for providing a pseudonym for auser are as such known. A pseudonym is typically used for protecting theinformational privacy of a user such as in a social network. Suchcomputer implemented schemes for providing a pseudonym typically enablethe disclosure of identities of anonymous users if an authority requestsit, if certain conditions are fulfilled. For example, Benjumea et al,Internet Research, Volume 16, No. 2, 2006 pages 120-139 devise acryptographic protocol for anonymously accessing services offered on theweb whereby such anonymous accesses can be disclosed or traced undercertain conditions.

SUMMARY

The invention provides a computer implemented method for generating apseudonym for a user comprising: entering a user-selected secret,storing the user-selected secret in memory, computing a private key byapplying an embedding and randomizing function onto the secret, storingthe private key in the memory, computing a public key using the privatekey, the public key and the private key forming an asymmetriccryptographic key, erasing the secret and the private key from thememory, outputting the public key for providing the pseudonym.

The term ‘user-selected secret’ is understood herein as any secret datathat is selected by or related to a user, such as a user-selected secretpassword or a secret key, such as a symmetric cryptographic key.Further, the term ‘user-selected secret’ does also encompass acombination of biometric data obtained from the user and a user-selectedpassword or secret key, such as a biometric hash value of the passwordor secret key.

The term ‘memory’ as used herein encompasses any volatile ornon-volatile electronic memory component or a plurality of electronicmemory components, such as a random access memory.

The term ‘embedding function’ or ‘embedding component’ as used hereinencompasses any injective function that maps the elements of ann-dimensional space onto elements of an m-dimensional space, where n>m.For the purpose of this invention, we focus on embedding functions wherem=1. In accordance with embodiments of this invention n is equal to 2and m is equal to 1 for combining two elements onto a single element. Inone embodiment, a user-selected secret and a public parameter are mappedby the embedding function to the 1-dimensional space to provide acombination of the user selected secret and a public parameter, e.g. asingle number that embeds the user selected secret. This single numberconstitutes the embedded secret. In another embodiment, a first hashvalue of the user selected secret and a random number are mapped by theembedding function to the 1-dimensional space to provide the embeddedsecret.

A ‘randomizing function’ or ‘randomizing component’ as understood hereinencompasses any injective function that provides an output of datavalues that are located within a predefined interval and wherein thedistribution of the data values within the predefined interval is asubstantially uniform distribution.

The term ‘embedding and randomizing function’ as used herein encompassesany function that implements both an embedding function and arandomizing function.

Embodiments of the present invention are particularly advantageous as anextremely high degree of protection of the informational privacy ofusers is provided. This is due to the fact that an assignment of theuser's identity to the user's pseudonym does not need to be stored andthat no third party is required for establishing a binding between thepseudonym and the user's identity. In contrast, embodiments of thepresent invention enable to generate a user's pseudonym in response tothe user's entry of a user-selected secret whereby the pseudonym isderived from the user-selected secret. As the user-selected secret isonly known by the user and not stored on any computer system there is noway that a third party could break the informational privacy of theuser, even if the computer system would be confiscated such as by agovernment authority.

This enables to store sensitive user data, such as medical data, in anunencrypted form in a publicly accessible database. The user's pseudonymcan be used as a database access key, e.g. a primary key or candidatekey value that uniquely identifies tuples in a database relation, forread and write access to data objects stored in the database.

For example, the database with pseudonymous data can be used for adecision support system, e.g. in the medical field for evaluating auser's individual medical data and processing the data by rules. Theresult of the evaluation and processing by rules may be hints andrecommendations to the physician regarding the user's health conditionand further treatment.

In accordance with an embodiment of the invention, at least one publicparameter is used for applying the embedding and randomization function.A public parameter may be the name of the user, an email address of theuser or another identifier of the user that is publicly known oraccessible. A combination of the user-selected secret and the publicparameter is generated by the embedding component of the embedding andrandomization function that is applied on the user-selected secret andthe public parameter.

The combination can be generated such as by concatenating theuser-selected secret and the public parameter or by performing a bitwiseXOR operation on the user-selected secret and the public parameter. Thisis particularly advantageous as two users may by chance select the samesecret and still obtain different pseudonyms as the combinations of theuser-selected secrets with the user-specific public parameters differ.

In accordance with an embodiment of the invention, the embeddingcomponent of the embedding and randomizing function comprises a binarycantor pairing function. The user-selected secret and the publicparameter are embedded by applying the binary cantor pairing function onthem.

In accordance with an embodiment of the invention, the randomizingcomponent of the embedding and randomizing function uses a symmetriccryptographic algorithm like the Advanced Encryption Standard (AES) orthe Data Encryption Standard (DES) by means of a symmetric key. This canbe performed by encrypting the output of the embedding component of theembedding and randomizing function, e.g. the binary cantor pairingfunction, using AES or DES.

In accordance with an embodiment of the invention, the symmetric keythat is used for randomization by means of a symmetric cryptographicalgorithm is user-specific. If the symmetric key is user-specific, theuse of a public parameter can be skipped, as well as embedding theuser-selected secret and the public parameter; the randomizing functioncan be applied then solely on the user-selected secret. By applying asymmetric cryptographic algorithm onto the user-selected secret using auser-specific symmetric key both embedding and randomization of theuser-selected secret are accomplished. If the symmetric key is notuser-specific, the use of the public parameter and embedding theuser-selected secret and the public parameter are necessary.

In accordance with an embodiment of the invention, the embedding andrandomizing function is implemented by performing the steps of applyinga first one-way function on the user-selected secret to provide a firstvalue, providing a random number, embedding the random number and thefirst value to provide a combination, and applying a second one-wayfunction on the combination to provide a second value, wherein thesecond value constitutes the private key. This embodiment isparticularly advantageous as it provides a computationally efficientmethod of implementing an embedding and randomization function.

In accordance with an embodiment of the invention, the computation ofthe public key is performed by elliptic curve cryptography (ECC). Theprivate key that is output by the embedding and randomizing function ismultiplied with a first base point given by the domain parameters of theelliptic curve to provide another point on the elliptic curve, which isthe pseudonym.

In accordance with an embodiment of the invention, it is determinedwhether the output of the embedding and randomizing function fulfils agiven criterion. For example, it is checked whether the output of theembedding and randomization function is within the interval between 2and n−1, where n is the order of the elliptic curve. If the output ofthe embedding and randomizing function does not fulfil this criterionanother random number is generated and the embedding and randomizationfunction is applied again to provide another output which is againchecked against this criterion. This process is performed repeatedlyuntil the embedding and randomizing function provides an output thatfulfils the criterion. This output is then regarded as the private keythat is used to calculate the public key, i.e. the pseudonym, bymultiplying the private key with the first base point.

In accordance with a further embodiment of the invention the base pointis varied leaving the other domain parameters unchanged for computationof multiple pseudonyms for a given user. This provides a computationallyefficient way to compute multiple pseudonyms for a given user in asecure way.

In another aspect the present invention relates to a computer readablestorage medium having stored therein instructions, which when executedby a computer system, cause the computer system to generate a pseudonymfor a user upon a user's entry of a user-selected secret by performingthe steps of storing the user-selected secret in memory, computing aprivate key by applying an embedding and randomizing function onto thesecret, storing the private key in memory, computing a public key usingthe private key, the public key and the private key forming anasymmetric cryptographic key pair, erasing the secret and the privatekey from memory, outputting the public key for providing the pseudonym.

In another aspect the present invention relates to a computer systemcomprising means for entering a user-selected secret, memory means forstoring the user-selected secret and a private key, processor meansbeing operable to compute the private key by applying an embedding andrandomizing function onto the secret, compute a public key using theprivate key, the public key and the private key forming an asymmetriccryptographic key pair, erase the secret and the private key as well asany intermediate computational results from memory, and output thepublic key for providing the pseudonym.

BRIEF DESCRIPTION OF THE DRAWINGS

In the following embodiments of the invention are explained in greaterdetail, by way of example only, making reference to the drawings inwhich:

FIG. 1 is a block diagram of a first embodiment of a computer system ofthe invention.

FIG. 2 is a flowchart being illustrative of an embodiment of a method ofthe invention.

FIG. 3 is a block diagram of a further embodiment of a computer systemof the invention.

FIG. 4 is a flowchart being illustrative of a further embodiment of amethod of the invention.

DETAILED DESCRIPTION

Throughout the following detailed description like elements of thevarious embodiments are designated by identical reference numerals.

FIG. 1 shows a computer system 100 that has a user interface 102 for auser's entry of a user-selected secret that is designated as s_(T) inthe following. For example, a keyboard 104 may be coupled to thecomputer system 100 for entry of s_(T). Instead of a keyboard 104 atouch panel or another input device can be coupled to the computersystem 100 for entry of s_(T). In addition, a sensor 106 can be coupledto the computer system 100 such as for capturing biometric data from abiometric feature of the user. For example, the sensor 106 may beimplemented as a fingerprint sensor in order to provide biometricfingerprint data to the computer system 100.

A public parameter, such as the user's name or email address, can alsobe entered into the computer system 100 via the keyboard 104 orotherwise. For example, a personal set V_(T,i) containing at least oneuser-specific public parameter, such as the user's name or emailaddress, is entered into the computer system 100 by the user T_(i).

The computer system 100 has a memory 108, such as a random accessmemory, and at least one processor 110. The memory 108 serves fortemporary storage of the user-selected secret s_(T) 112, a combination114 of s_(T) 112 and V_(T,i), a private key 116, a public key 118 thatconstitutes a pseudonym of the user T_(i), and a data object 120, suchas a medical data object containing medical data related to the userT_(i). Further, the memory 108 serves for loading computer programinstructions 122 for execution by the processor 110.

The computer program instructions 122 provide an embedding andrandomizing function 126, a key generator 128 and may also provide adatabase access function 130 when executed by the processor 110.

The embedding and randomizing function 126 may be provided as a singleprogram module or it may be implemented by a separate embedding function132 and a separate randomizing function 134. For example, the embeddingfunction 132 or an embedding component of the embedding andrandomization function 126 provides the combination 114 by concatenatings_(T) and the user's name or by performing a bitwise XOR operation ons_(T) and the user's name.

In one implementation, the embedding and randomizing function 126implements symmetric encryption provided by a symmetric cryptographicalgorithm, e.g. AES, using a user-specific symmetric key for encryptionof the user-selected secret 112. This provides both embedding andrandomizing of s_(T) 112.

In another implementation, the embedding function 132 is implemented bya binary cantor pairing function for embedding s_(T) 112 and V_(T,i),and the randomizing function 134 is implemented by AES encryption usinga symmetric key that is the same for the entire set of users T.

In still another embodiment the embedding and randomizing function 126is implemented by two different hash functions and a random numbergenerator (cf. the embodiment of FIGS. 3 and 4).

The key generator 128 serves to compute public key 118 using ellipticcurve cryptography (ECC). The private key 116 is multiplied by a basepoint given by the domain parameters of the elliptic curve whichprovides the public key 118. By varying the base point and leaving theother domain parameters of the elliptic curve unchanged multiplepseudonyms can be computed for the user T_(i) on the basis of the samesecret S_(T).

The computer system 100 may have a network interface 136 for couplingthe computer system 100 to a database 138 via a communication network140, such as the Internet. The database access function 130 enables toperform a write and a read access for accessing the data object 120stored in the database 138 using the public key 118, i.e. the user'spseudonym, as a database access key, e.g. a primary key or candidate keyvalue that uniquely identifies tuples in a database relation.

Further, an analytic system 140, such as a decision support system (DSS)can be coupled to the database 138 such as via the network 140. Theanalytic system 144 comprises a component 146 for analyzing the dataobjects of the users T which are stored in the database 138, such as bydata mining or data clustering.

In one application the data objects stored in the database 138 containmedical data of the various users. By analyzing the various data objectsusing techniques such as data mining and/or data clustering techniquesmedical knowledge can be obtained. For example, data clustering mayreveal that certain user attributes contained in the medical dataincrease the risk for certain diseases.

For generating a pseudonym p_(T,i) for a user T_(i) based on the secrets_(T) 112 and domain parameters D_(i) containing a base point for theelliptic curve cryptography the following steps are executed by thecomputer system 100 in operation:

The user T_(i) enters his or her user-selected secret s_(T) 112 such asvia the keyboard 104. In addition, the user may enter at least onepublic parameter V_(T,i) such as his name or email address via thekeyboard 104 or otherwise. Such a public parameter V_(T,i) may also bepermanently stored in the computer system 100.

The secret s_(T) 112 is temporarily stored in memory 108. Upon entry ofthe secret s_(T) 112 the embedding function 132 or the embeddingcomponent of the embedding and randomizing function 126 generates thecombination 114 of the secret s_(T) 112 and the public parameterV_(T,i). The resultant combination 114 is temporarily stored in thememory 108.

Next, the randomizing function 134 or the randomizing component of theembedding and randomizing function 126 is invoked in order to calculatethe private key 116 on the basis of the combination 114. The resultantprivate key 116 is temporarily stored in memory 108. In the next step,the key generator 128 is started for computing the public key 118 bymultiplying the private key 116 by the base point contained in thedomain parameters D_(i) of the elliptic curve being used.

The public key 118, i.e. the pseudonym p_(T,i), is stored in memory 108.The secret s_(T) 112, the combination 114 as well as the private key 116as well as any intermediate result obtained by execution of theembedding and randomizing function 126 and the key generator 128 arethen erased from the memory 108 and/or the processor 110. As aconsequence, there is no technical means to reconstruct the assignmentof the resultant pseudonym to the user T_(i) as only the user knows thesecret s_(T) 112 that has led to the generation of his or her pseudonymp_(T,i). A data object 120 containing sensitive data of the user T_(i),such as medical data, can then be stored by execution of the databaseaccess function 130 in the pseudomized database 138 using the pseudonymp_(T,i) as a database access key, e.g. a primary key or candidate keyvalue that uniquely identifies tuples in a database relation.

The user-selected secret s_(T) 112 may be obtained by combining auser-selected password or secret key with biometric data of the userT_(i) that is captured by the sensor 106. For example, a hash value ofthe user-selected password or secret key is calculated by execution ofrespective program instructions by the processor 110. In this instancethe hash value provides the user-selected secret s_(T) 112 on which thefollowing calculations are based.

A plurality of users from the public set of enrolled participants T mayuse the computer system 100 to generate respective pseudonyms p_(T,i)and to store data objects containing sensitive data, such as medicalinformation in the database 138 as it has been described above in detailfor one of the users T_(i) by way of example.

For reading the data object of one of the users T_(i) from the database138 the user has to enter the secret s_(T) 112. Alternatively, the userhas to enter the user-selected password or secret key via the keyboard104 and an acquisition of the biometric data is performed using thesensor for computation of a hash value that constitutes s_(T) 112. As afurther alternative, the secret key is read by the computer system froman integrated circuit chip card of the user. On the basis of s_(T) 112the pseudonym can be computed by the computer system 100.

The pseudonym is then used for performing a database read access on thedatabase 138 in order to read one or more data objects 120 that arestored in the database 138 for that user T_(i). After the databaseaccess operation has been performed the secret s_(T) 112, thecombination 114, the private key 116 and the public key 118 are erasedfrom the computer system 100 as well as any intermediate computationalresults.

FIG. 2 shows a corresponding flowchart.

In step 200 the user T_(i) enters his or her user-selected secret s_(T)and public parameter V_(T,i). In step 202 s_(T) and V_(T),i are combinedto provide the first combination by the embedding function (cf.embedding function 132 of FIG. 1). Next, the randomizing function (cf.randomizing function 134 of FIG. 1). is applied on s_(T) and V_(T,i) instep 204 which provides a private key. As an alternative, an embeddingand randomizing function is applied on s_(T) and V_(T,i) which providesthe private key.

In step 206 a public key is computed using the private key obtained instep 204 and the public key is used in step 208 as a pseudonym of theuser T. For example the pseudonym may be used as a database access key,e.g. a primary key or candidate key value that uniquely identifiestuples in a database relation for storing a data object for the userT_(i) in a database with pseudonymous data (cf. database 138 of FIG. 1).

FIG. 3 shows a further embodiment of computer system 100. In theembodiment considered here the embedding and randomizing function 126comprises an embedding function 132, a random number generator 148, afirst hash function 150 and a second hash function 152. In theembodiment considered here the computation of the private key 116 basedon s_(T) 112 may be performed as follows:

The first hash function 150 is applied on the user-selected secret s_(T)112. This provides a first hash value. Next, a random number is providedby the random number generator 148. The random number and the first hashvalue are combined by the embedding function 132 to provide thecombination, i.e. the embedded secret s_(T) 112.

The combination of the first hash value and the random number can beobtained by concatenating the first hash value and the random number orby performing a bitwise XOR operation on the first hash value and therandom number by the embedding function 132. The result is a combinationon which the second hash function 152 is applied to provide a secondhash value. The second hash value is the private key 116 on which thecalculation of the public key 118 is based.

Dependent on the implementation it may be necessary to determine whetherthe second hash value fulfils one or more predefined conditions. Only ifsuch conditions are fulfilled by the second hash value it is possible touse the second hash value as the private key 116 for the followingcomputations. If the second hash value does not fulfill one or more ofthe predefined conditions a new random number is provided by the randomnumber generator 148 on the basis of which a new second hash value iscomputed which is again checked against the one or more predefinedconditions (cf. the embodiment of FIG. 4).

The random number on the basis of which the private key 116 andthereafter the public key 118 has been computed is stored in a database154 that is coupled to the computer system 100 via the network 140. Therandom number may be stored in the database 154 using the publicparameter V_(T,i) as the database access key for retrieving the randomnumber for reconstructing the pseudonym at a later point of time.

The user T_(i) may use the pseudonym provided by the computer system 100for his or her registration in an anonymous online community 156 e.g. asocial network. For registration the user T_(i) creates his or her userprofile 158 by entering the pseudonym 118 as the username such that thevarious private data entered into the user profile 158 remain privateeven though they are published in the online community 156 due to thefact that the assignment of the pseudonym to the user T_(i) is storednowhere and cannot be reconstructed by technical means without knowledgeof the user-selected secret s_(T) 112.

For reconstructing the pseudonym the user has to enter his or heruser-selected secret s_(T) 112 into the computer system on the basis ofwhich the first hash value is generated by the hash function 150 and thecombination 114 is generated by the embedding function 132 or theembedding component of the embedding and randomizing function 126 usingthe first hash value and the random number retrieved from the database154.

Depending on the implementation, the user may also need to enter theuser's public parameter V_(T,i). A database access is performed usingthe user's public parameter V_(T),i as a database access key, e.g. aprimary key or candidate key value that uniquely identifies tuples in adatabase relation, in order to retrieve the random number stored in thedatabase 154.

In other words, the reconstruction of the private key 116 is performedby applying the embedding function 132 on the first hash value obtainedfrom the user-selected secret s_(T) 112 and the retrieved random numberwhich yields the combination 114. The first hash value is combined withthe random number retrieved from the database 154 by the embeddingfunction 132 to provide the combination onto which the second hashfunction 152 is applied which returns the private key 116, out of whichthe public key 118, i.e. the pseudonym, can be computed. After the userT_(i) has recovered his or her pseudonym a database access for readingand/or writing from or to the database 138 may be performed or the usermay log into the online community 156 using his or her pseudonym foranonymous participation in the online community 156.

FIG. 4 shows a respective flowchart for generating a pseudonym p_(T,i)for user T_(i). In step 300 the user enters the user-selected secrets_(T). In step 304 a first hash function is applied on the user-selectedsecret s_(T) which provides a first hash value. In step 306 a randomnumber is generated and in step 308 an embedding function is applied onthe first hash value and the random number to provide a combination ofthe first hash value and the random number. In other words, the firsthash value and the random number are mapped to a 1-dimensional space,e.g. a single number, by the embedding function. The combination can beobtained by concatenating the random number and the first hash value orby performing a bitwise XOR operation on the first hash value and therandom number.

In step 310 a second hash function is applied on the combination whichprovides a second hash value. The second hash value is a candidate forthe private key. Depending on the implementation the second hash valuemay only be usable as a private key if it fulfils one or more predefinedconditions. For example, if ECC is used, it is checked whether thesecond hash value is within the interval between 2 and n−1, where n isthe order of the elliptic curve.

Fulfillment of such a predefined condition is checked in step 312. Ifthe condition is not fulfilled, the control returns to step 306. If thecondition is fulfilled, then the second hash value qualifies to be usedas a private key in step 314 to compute a respective public keyproviding an asymmetric cryptographic key-pair consisting of the privatekey and the public key. In step 316 the public key computed in step 314is used as a pseudonym such as for accessing a pseudomized database,participation in an anonymous online community or other purposes.

Mathematical Appendix 1. Embedding Functions.

There exist n-ary scalar functions

d_(i)N×N−N_(d)

which are injective—and even bijective, where N is the set of naturalnumbers. The function d( ) embeds uniquely an n-dimensional space, i.e.n-tuples (k₁, . . . , k_(n)), into scalars, i.e. natural numbers k.

2. The Binary Cantor Pairing Function

The binary cantor pairing function is an embodiment of embeddingfunction 132. The binary cantor pairing function is defined as follows:

m N × N  − N${\pi \left( {m,n} \right)} = {{\frac{1}{2}\left( {m + n} \right)\left( {m + n + 1} \right)} + n}$

which assigns to each fraction m/n the unique natural number π(m,n)—thus demonstrating that there are no more fractions than integers.Hence, if we map both s_(T) and V_(T),i to natural numbers and use thefact that all identities are distinct then π(s_(T), V_(T),i) yields aunique value for each identity, even if there are equal personalsecrets. To be more precise, since this function does not distinguishbetween e.g. ½, 2/4 etc, it assigns to each fraction an infinite numberof unique natural numbers.

3. Elliptic Curve Cryptography (ECC)

Let:

-   -   p be a prime number, p>3, and |F_(p) the corresponding finite        field a and b integers

Then the set E of points (x, y) such that

E={(x,y)ε|F _(p) ×|F _(p) |y ² =x ³ +ax+b}  (F1)

defines an elliptic curve in |F_(p). (For reasons of simplicity, we skipthe details on E being non-singular and, as well, we do not consider theformulae of elliptic curves over finite fields with p=2 and p=3. Thesubsequent statements apply to these curves, too.)

The number m of points on E is its order.

Let P,QεE be two points on E. Then the addition of points

P+Q=R and RεE  (F2)

can be defined in such a way that E forms an Abelian group, viz, itsatisfies the rules of ordinary addition of integers. By writing

P+P=[2]P

We define the k-times addition of P as [k]P, the point multiplication.

Now EC-DLP, the elliptic curve discretionary logarithm problem, statesthat if

Q=[k]P  (F3)

then with suitably chosen a, b, p and P, which are known to public, andthe as well known to the public point Q it is computationally infeasibleto determine the integer k.

The order n of a point P is the order of the subgroup generated by P,i.e. the number of elements in the set

{P,[2]P, . . . , [n]P}  (F4)

With all this in mind we define an elliptic curve cryptographic (ECC)system as follows. Let:

E be an elliptic curve of order mBεEa point of E of order n, the base point

Then

D={a,b,p,B,n,co(B)}  (F5)

with

${{co}(B)} = \frac{m}{n}$

defines a set of domain ECC-parameters. Let now g be an integer and

Q=[g]B  (F6)

Then (g, Q) is an ECC-key-pair with g being the private key and Q thepublic key.

For we rely on findings of Technical Guideline TR-03111, Version 1.11,issued by the Bundesamt für Sicherheit in der Informationstechnik (BSI),one of the best accredited source for cryptographically strong ellipticcurves, we can take that m=n, i.e. co(B)=1, and hence reduce (F5) to

D={a,b,p,B,n}  (F7)

Now we can define our one-way function. Let D be a set of domainparameters concordant with (F7). Then

f:[2,n−1]→E

k

[k]B  (F8)

i.e. the point multiplication (F6), is an injective one-way function.

4. Implementing Key Generator Based on ECC

The key generator 128 (cf. FIGS. 1 and 3) can be implemented using ECC.

Definitions:

-   -   There are public sets of ECC-domain parameters D₁, D₂, . . .        concordant with (F7)

D_(i)={a_(i),b_(i),p_(i),B_(i),n_(i)}  (F9)

-   -   There are public functions: an embedding function do, a        randomising function r( ) and our one-way function f( ) defined        by (F8).    -   There is a public set of enrolled participants (users)

T={T₁,T₂, . . . }  (F10)

Note that a T_(i) does not necessarily possess any personallyidentifying details, i.e. we assume that T resembles the list ofparticipants in an anonymous Internet-community, in which eachparticipant can select his name at his discretion as long as it isunique.

-   -   Each participant TεT chooses at his complete discretion his        personal secret s_(T). In particular, for this secret is never        revealed to anybody else—it is the participant's responsibility        to ensure this—it is not subject to any mandatory conditions,        such as uniqueness.    -   Our pseudonym derivation function is

h( )=f(r(d( ))  (F11)

-   -    with the following properties:    -   Given a TεT with his s_(T), a D_(i) and T, D_(i)εV_(T,i)

r(d(s _(T) ,V _(T,i)))=g _(T,i)  (F12)

-   -    where g_(T,i) is a unique and strong, i.e. sufficiently random,        private ECC-key for D_(i).    -   The pseudonym p_(T,i) corresponding to T, s_(T) and D_(i) is

p _(T,i) =f(g _(T,i) ,D _(i))=[g _(T,i) ]B _(i)=(x _(T,i) ,y_(T,i))  (F13)

-   -   There is a public set of pseudonyms

P={p₁, p₂, . . . }  (F14)

such that P comprises one or more pseudonyms for each participant in Tcomputed according to (F11). This wording implies that here is norecorded correspondence between a participant in T and his pseudonyms inP, i.e. each p_(T,i) is inserted in an anonymous way as p_(k) into P.

Remarks:

-   -   The use of multiple domain parameters enables us to endow a        single participant with a single personal secret with multiple        pseudonyms. This in turn enables a participant to be a member of        multiple pseudonymous groups such that data of these groups        cannot—for, e.g. personal or legal reasons—be correlated.        Therefore, attempts to exploit combined pseudonymous profiles        for unintended, possibly malicious purposes, are of no avail.    -   The distinction between two sets of domain parameters D_(i) and        D_(j) can be minor. In accordance with our principle to use only        accredited domain parameters, e.g. those listed in BSI TR-03111,        we can set

D_(i)={a,b,p,B,n}  (F15)

-   -    by swapping B for a statistically independent B₂, i.e. by        choosing a different base point, we can set

D_(j)={a,b,p,B₂,n}  (F16)

-   -    For D_(i) and D_(j) refer to the same elliptic curve we can        have only one function (F12) and introduce the crucial        distinction with (F13). This vastly simplifies concrete        implementations—we select a suitable curve and vary the base        points only.

Although the invention herein has been described with reference toparticular embodiments, it is to be understood that these embodimentsare merely illustrative of the principles and applications of thepresent invention. It is therefore to be understood that numerousmodifications may be made to the illustrative embodiments and that otherarrangements may be devised without departing from the spirit and scopeof the present invention as defined by the appended claims.

List of Reference Numerals 100 Computer system 102 User interface 104Keyboard 106 Sensor 108 Memory 110 Processor 112 A user-selected secret114 Combination 116 Private key 118 Public key 120 Data object 122Computer program instructions 124 Combination generator 126 Embeddingand randomizing function 128 Key generator 130 Database access function132 Embedding function 134 Randomizing function 136 Network interface138 Database 140 Network 144 Analytic system 146 Component 148 Randomnumber generator 150 Hash function 152 Hash function 154 Database 156Online community 158 User profile

1. A computer implemented method for generating a pseudonym for a usercomprising: entering a user-selected secret and storing saiduser-selected secret into a memory; computing a private key by applyingan embedding and randomizing function onto said user-selected secret;storing the private key in the memory; computing a public key using theprivate key, the public key and the private key forming an asymmetriccryptographic key pair; erasing said user-selected secret and theprivate key from the memory after said public key is computed; andoutputting the public key for providing the pseudonym, wherein saidpseudonym is assigned as an identity of said user and a binding betweensaid pseudonym and said user's identity is not established by any thirdparty.
 2. The method of claim 1, the secret being selected from thegroup consisting of a user-selected password, a secret key, biometricdata.
 3. The method of claim 1, further comprising using at least onepublic parameter for applying the embedding and randomization function.4. The method of claim 3, the public parameter being selected from thegroup consisting of a username, a user email address, a user identifier,and wherein the embedding and randomizing function is applied on thepublic parameter and the secret to provide a combination.
 5. The methodof claim 1, wherein the embedding and randomization function comprises abinary Cantor pairing function for embedding the secret.
 6. The methodof claim 1, the embedding and randomizing function comprising encryptingat least the embedded secret using a symmetric cryptographic algorithmby means of a symmetric key for randomizing the embedded secret.
 7. Themethod of claim 1, the embedding and randomizing function comprisingencrypting at least the secret using AES by means of a user-specificsymmetric key for embedding and randomizing the secret.
 8. The method ofclaim 1, wherein the embedding and randomizing function comprises:applying a first one-way function on the secret to provide a firstvalue, providing a random number; embedding the random number and thefirst value by combining them to provide a combination; and applying asecond one-way function on the combination to provide a second value,wherein the second value constitutes the private key.
 9. The method ofclaim 8, wherein the first one-way function is a first hash function,and the second one-way function is a second hash function.
 10. Themethod of claim 8, further comprising storing the random number in adatabase using a public parameter assigned to the user as a databaseaccess key.
 11. The method of claim 8, wherein the computation of thepublic key is performed by ECC cryptography.
 12. The method of claim 11,further comprising providing a set of domain parameters comprising afirst base point for the ECC cryptography, computing a first public keyfor providing a first pseudonym by the ECC cryptography using the domainparameters and the first base point, replacing the first base point by asecond base point in the domain parameters, and computing a secondpublic key by ECC cryptography using the second base point to provide asecond pseudonym.
 13. The method of claim 1, further comprising usingthe pseudonym as a database access key for storing a data object in adatabase.
 14. The method of claim 1, further comprising storing thepseudonym in a user profile that is assigned to the user as theusername.
 15. A non-transitory tangible computer readable storage mediumhaving stored therein instructions, which when executed by a computersystem cause the computer system to generate a pseudonym for a user uponthe user's entry of a user-selected secret by performing the steps of:receiving the user-selected secret and storing the user-selected secretin a memory; computing a private key by applying an embedding andrandomizing function onto said user-selected secret; storing the privatekey in the memory; computing a public key using the private key, thepublic key and the private key forming an asymmetric cryptographic keypair; erasing the user-selected secret and the private key from thememory after the public key is computed; and outputting the public keyfor providing the pseudonym, wherein said pseudonym is assigned as anidentity of said user and a binding between said pseudonym and saiduser's identity is not established by any third party.
 16. A computersystem comprising: means for entering a user-selected secret and storingthe user-selected secret and a private key in a memory; processor meansbeing operable to: compute the private key by applying an embedding andrandomizing function onto the user-selected secret; compute a public keyusing the private key, the public key and the private key forming anasymmetric cryptographic key pair; erase the user-selected secret andthe private key from the memory after the public key is computed; andoutput the public key for providing the pseudonym, wherein saidpseudonym is assigned as an identity of said user and a binding betweensaid pseudonym and said user's identity is not established by any thirdparty.
 17. The computer system of claim 16, further comprising adatabase and means for performing a database access operation using thepseudonym for storing a pseudonymous data object in the database. 18.The computer system of claim 17, further comprising an analytic systemfor analyzing the pseudomized data objects stored in the database, theanalytic system comprising one of a data mining or a clusteringcomponent for performing the analysis.
 19. The computer system of claim16, the means for computing a private key by applying an embedding andrandomizing function onto the secret implementing a binary cantorpairing function for embedding the secret.
 20. The computer system ofclaim 16, wherein the means for computing a private key by applying anembedding and randomizing function onto the secret is operable toperform the steps of: applying a first one-way function on the secret toprovide a first value; providing a random number; embedding the randomnumber and the first value for providing a second combination; andapplying a second one-way function on the second combination to providea second value, wherein the second value constitutes the private key.